Browse Source

[Nanobox] Tuning Update (#6660)

Various preformance and stability enhancements for instances deployed via Nanobox.
Daniel Hunsaker 9 months ago
parent
commit
b725924f0a
3 changed files with 110 additions and 16 deletions
  1. 91
    4
      .env.nanobox
  2. 12
    11
      boxfile.yml
  3. 7
    1
      nanobox/nginx-web.conf.erb

+ 91
- 4
.env.nanobox View File

@@ -13,11 +13,29 @@ DB_PORT=5432
13 13
 
14 14
 DATABASE_URL=postgresql://$DATA_DB_USER:$DATA_DB_PASS@$DATA_DB_HOST/gonano
15 15
 
16
+# Optional ElasticSearch configuration
17
+# ES_ENABLED=true
18
+# ES_HOST=localhost
19
+# ES_PORT=9200
20
+
21
+# Optimizations
22
+LD_PRELOAD=/data/lib/libjemalloc.so
23
+
24
+# ImageMagick optimizations
25
+MAGICK_TEMPORARY_PATH=/app/tmp
26
+MAGICK_MEMORY_LIMIT=128MiB
27
+MAGICK_MAP_LIMIT=64MiB
28
+MAGICK_TIME_LIMIT=15
29
+MAGICK_AREA_LIMIT=16MP
30
+MAGICK_WIDTH_LIMIT=8KP
31
+MAGICK_HEIGHT_LIMIT=8KP
32
+
16 33
 # Federation
17
-# Note: Changing LOCAL_DOMAIN or LOCAL_HTTPS at a later time will cause unwanted side effects.
34
+# Note: Changing LOCAL_DOMAIN at a later time will cause unwanted side effects, including breaking all existing federation.
18 35
 # LOCAL_DOMAIN should *NOT* contain the protocol part of the domain e.g https://example.com.
19 36
 LOCAL_DOMAIN=${APP_NAME}.nanoapp.io
20
-LOCAL_HTTPS=false
37
+
38
+# Changing LOCAL_HTTPS in production is no longer supported. (Mastodon will always serve https:// links)
21 39
 
22 40
 # Use this only if you need to run mastodon on a different domain than the one used for federation.
23 41
 # You can read more about this option on https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Serving_a_different_domain.md
@@ -31,7 +49,6 @@ LOCAL_HTTPS=false
31 49
 
32 50
 # Application secrets
33 51
 # Generate each with the `rake secret` task (`nanobox run bundle exec rake secret`)
34
-PAPERCLIP_SECRET=$PAPERCLIP_SECRET
35 52
 SECRET_KEY_BASE=$SECRET_KEY_BASE
36 53
 OTP_SECRET=$OTP_SECRET
37 54
 
@@ -131,9 +148,79 @@ SMTP_FROM_ADDRESS=notifications@${APP_NAME}.nanoapp.io
131 148
 
132 149
 # Cluster number setting for streaming API server.
133 150
 # If you comment out following line, cluster number will be `numOfCpuCores - 1`.
134
-STREAMING_CLUSTER_NUM=1
151
+# STREAMING_CLUSTER_NUM=1
135 152
 
136 153
 # Docker mastodon user
137 154
 # If you use Docker, you may want to assign UID/GID manually.
138 155
 # UID=1000
139 156
 # GID=1000
157
+
158
+# LDAP authentication (optional)
159
+# LDAP_ENABLED=true
160
+# LDAP_HOST=localhost
161
+# LDAP_PORT=389
162
+# LDAP_METHOD=simple_tls
163
+# LDAP_BASE=
164
+# LDAP_BIND_DN=
165
+# LDAP_PASSWORD=
166
+# LDAP_UID=cn
167
+
168
+# PAM authentication (optional)
169
+# PAM authentication uses for the email generation the "email" pam variable
170
+# and optional as fallback PAM_DEFAULT_SUFFIX
171
+# The pam environment variable "email" is provided by:
172
+# https://github.com/devkral/pam_email_extractor
173
+# PAM_ENABLED=true
174
+# Fallback Suffix for email address generation (nil by default)
175
+# PAM_DEFAULT_SUFFIX=pam
176
+# Name of the pam service (pam "auth" section is evaluated)
177
+# PAM_DEFAULT_SERVICE=rpam
178
+# Name of the pam service used for checking if an user can register (pam "account" section is evaluated) (nil (disabled) by default)
179
+# PAM_CONTROLLED_SERVICE=rpam
180
+
181
+# Global OAuth settings (optional) :
182
+# If you have only one strategy, you may want to enable this
183
+# OAUTH_REDIRECT_AT_SIGN_IN=true
184
+
185
+# Optional CAS authentication (cf. omniauth-cas) :
186
+# CAS_ENABLED=true
187
+# CAS_URL=https://sso.myserver.com/
188
+# CAS_HOST=sso.myserver.com/
189
+# CAS_PORT=443
190
+# CAS_SSL=true
191
+# CAS_VALIDATE_URL=
192
+# CAS_CALLBACK_URL=
193
+# CAS_LOGOUT_URL=
194
+# CAS_LOGIN_URL=
195
+# CAS_UID_FIELD='user'
196
+# CAS_CA_PATH=
197
+# CAS_DISABLE_SSL_VERIFICATION=false
198
+# CAS_UID_KEY='user'
199
+# CAS_NAME_KEY='name'
200
+# CAS_EMAIL_KEY='email'
201
+# CAS_NICKNAME_KEY='nickname'
202
+# CAS_FIRST_NAME_KEY='firstname'
203
+# CAS_LAST_NAME_KEY='lastname'
204
+# CAS_LOCATION_KEY='location'
205
+# CAS_IMAGE_KEY='image'
206
+# CAS_PHONE_KEY='phone'
207
+
208
+# Optional SAML authentication (cf. omniauth-saml)
209
+# SAML_ENABLED=true
210
+# SAML_ACS_URL=
211
+# SAML_ISSUER=http://localhost:3000/auth/auth/saml/callback
212
+# SAML_IDP_SSO_TARGET_URL=https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO
213
+# SAML_IDP_CERT=
214
+# SAML_IDP_CERT_FINGERPRINT=
215
+# SAML_NAME_IDENTIFIER_FORMAT=
216
+# SAML_CERT=
217
+# SAML_PRIVATE_KEY=
218
+# SAML_SECURITY_WANT_ASSERTION_SIGNED=true
219
+# SAML_SECURITY_WANT_ASSERTION_ENCRYPTED=true
220
+# SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
221
+# SAML_ATTRIBUTES_STATEMENTS_UID="urn:oid:0.9.2342.19200300.100.1.1"
222
+# SAML_ATTRIBUTES_STATEMENTS_EMAIL="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
223
+# SAML_ATTRIBUTES_STATEMENTS_FULL_NAME="urn:oid:2.5.4.42"
224
+# SAML_UID_ATTRIBUTE="urn:oid:0.9.2342.19200300.100.1.1"
225
+# SAML_ATTRIBUTES_STATEMENTS_VERIFIED=
226
+# SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL=

+ 12
- 11
boxfile.yml View File

@@ -1,7 +1,7 @@
1 1
 run.config:
2 2
   engine: ruby
3 3
   engine.config:
4
-    runtime: ruby-2.4
4
+    runtime: ruby-2.5
5 5
 
6 6
   extra_packages:
7 7
     # basic servers:
@@ -10,6 +10,7 @@ run.config:
10 10
 
11 11
     # for images:
12 12
     - ImageMagick
13
+    - jemalloc
13 14
 
14 15
     # for videos:
15 16
     - ffmpeg3
@@ -37,7 +38,7 @@ run.config:
37 38
     - yarn.lock
38 39
 
39 40
   extra_steps:
40
-    - envsubst < .env.nanobox > .env
41
+    - cp .env.nanobox .env
41 42
     - yarn
42 43
 
43 44
   fs_watch: true
@@ -47,7 +48,7 @@ deploy.config:
47 48
   extra_steps:
48 49
     - NODE_ENV=production bundle exec rake assets:precompile
49 50
   transform:
50
-    - "sed 's/LOCAL_HTTPS=.*/LOCAL_HTTPS=true/i' /app/.env.nanobox | envsubst > /app/.env.production"
51
+    - "envsubst < /app/.env.nanobox > /app/.env.production"
51 52
     - |-
52 53
         if [ -z "$LOCAL_DOMAIN" ]
53 54
         then
@@ -186,7 +187,7 @@ worker.cron_only:
186 187
 
187 188
 
188 189
 data.db:
189
-  image: nanobox/postgresql:9.5
190
+  image: nanobox/postgresql:9.6
190 191
 
191 192
   cron:
192 193
     - id: backup
@@ -196,11 +197,11 @@ data.db:
196 197
         gzip |
197 198
         curl -k -H "X-AUTH-TOKEN: ${WAREHOUSE_DATA_HOARDER_TOKEN}" https://${WAREHOUSE_DATA_HOARDER_HOST}:7410/blobs/backup-${HOSTNAME}-$(date -u +%Y-%m-%d.%H-%M-%S).sql.gz --data-binary @- &&
198 199
         curl -k -s -H "X-AUTH-TOKEN: ${WAREHOUSE_DATA_HOARDER_TOKEN}" https://${WAREHOUSE_DATA_HOARDER_HOST}:7410/blobs/ |
199
-        json_pp |
200
+        sed 's/,/\n/g' |
200 201
         grep ${HOSTNAME} |
201 202
         sort |
202 203
         head -n-${BACKUP_COUNT:-1} |
203
-        sed 's/.*: "\(.*\)".*/\1/' |
204
+        sed 's/.*: \?"\(.*\)".*/\1/' |
204 205
         while read file
205 206
         do
206 207
           curl -k -H "X-AUTH-TOKEN: ${WAREHOUSE_DATA_HOARDER_TOKEN}" https://${WAREHOUSE_DATA_HOARDER_HOST}:7410/blobs/${file} -X DELETE
@@ -208,7 +209,7 @@ data.db:
208 209
 
209 210
 
210 211
 data.redis:
211
-  image: nanobox/redis:3.0
212
+  image: nanobox/redis:4.0
212 213
 
213 214
   cron:
214 215
     - id: backup
@@ -216,11 +217,11 @@ data.redis:
216 217
       command: |
217 218
         curl -k -H "X-AUTH-TOKEN: ${WAREHOUSE_DATA_HOARDER_TOKEN}" https://${WAREHOUSE_DATA_HOARDER_HOST}:7410/blobs/backup-${HOSTNAME}-$(date -u +%Y-%m-%d.%H-%M-%S).rdb --data-binary @/data/var/db/redis/dump.rdb &&
218 219
         curl -k -s -H "X-AUTH-TOKEN: ${WAREHOUSE_DATA_HOARDER_TOKEN}" https://${WAREHOUSE_DATA_HOARDER_HOST}:7410/blobs/ |
219
-        json_pp |
220
+        sed 's/,/\n/g' |
220 221
         grep ${HOSTNAME} |
221 222
         sort |
222 223
         head -n-${BACKUP_COUNT:-1} |
223
-        sed 's/.*: "\(.*\)".*/\1/' |
224
+        sed 's/.*: \?"\(.*\)".*/\1/' |
224 225
         while read file
225 226
         do
226 227
           curl -k -H "X-AUTH-TOKEN: ${WAREHOUSE_DATA_HOARDER_TOKEN}" https://${WAREHOUSE_DATA_HOARDER_HOST}:7410/blobs/${file} -X DELETE
@@ -237,11 +238,11 @@ data.storage:
237 238
         tar cz -C /data/var/db/unfs/ . |
238 239
         curl -k -H "X-AUTH-TOKEN: ${WAREHOUSE_DATA_HOARDER_TOKEN}" https://${WAREHOUSE_DATA_HOARDER_HOST}:7410/blobs/backup-${HOSTNAME}-$(date -u +%Y-%m-%d.%H-%M-%S).tgz --data-binary @- &&
239 240
         curl -k -s -H "X-AUTH-TOKEN: ${WAREHOUSE_DATA_HOARDER_TOKEN}" https://${WAREHOUSE_DATA_HOARDER_HOST}:7410/blobs/ |
240
-        json_pp |
241
+        sed 's/,/\n/g' |
241 242
         grep ${HOSTNAME} |
242 243
         sort |
243 244
         head -n-${BACKUP_COUNT:-1} |
244
-        sed 's/.*: "\(.*\)".*/\1/' |
245
+        sed 's/.*: \?"\(.*\)".*/\1/' |
245 246
         while read file
246 247
         do
247 248
           curl -k -H "X-AUTH-TOKEN: ${WAREHOUSE_DATA_HOARDER_TOKEN}" https://${WAREHOUSE_DATA_HOARDER_HOST}:7410/blobs/${file} -X DELETE

+ 7
- 1
nanobox/nginx-web.conf.erb View File

@@ -58,15 +58,21 @@ http {
58 58
             proxy_pass_header Server;
59 59
 
60 60
             proxy_pass http://rails;
61
-            proxy_buffering off;
61
+            proxy_buffering on;
62 62
             proxy_redirect off;
63 63
             proxy_http_version 1.1;
64 64
             proxy_set_header Upgrade $http_upgrade;
65 65
             proxy_set_header Connection $connection_upgrade;
66 66
 
67
+            proxy_cache CACHE;
68
+            proxy_cache_valid 200 7d;
69
+            proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
70
+
67 71
             tcp_nodelay on;
68 72
         }
69 73
     }
70 74
 
75
+    proxy_cache_path /data/var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;
76
+
71 77
     error_page 500 501 502 503 504 /500.html;
72 78
 }